SlideShare a Scribd company logo

Super Easy Memory Forensics

IIJ
IIJ

FIRSTCON22のワークショップで使用した資料です。 https://www.first.org/conference/2022/program#pSuper-Easy-Memory-Forensics-You-Can-Mount-Memory-Images-and-Analyze-them-with-Explorer-and-Notepad

1 of 151
Download to read offline
Super Easy Memory Forensics
- You Can "Mount" Memory Images
and Analyze them with Explorer and Notepad -
Internet Initiative Japan Inc.
Hiroshi Suzuki and Hisao Nashiwa
About this Document
• This document is a part of a commercial training course, named “A
Comprehensive Guide to Digital Forensics & Malware Analysis for
Practical Incident Response”, held at Black Hat USA.
• https://www.blackhat.com/us-22/training/schedule/index.html#a-
comprehensive-guide-to-digital-forensics--malware-analysis-for-practical-
incident-response-25540
• This course is not for just a memory forensics analysis course. You can
learn comprehensive DFIR and malware analysis techniques.
Copyright Internet Initiative Japan Inc. 2
Introduction
Copyright Internet Initiative Japan Inc. 3
Who Are We?
• Hiroshi Suzuki and Hisao Nashiwa are from “Internet
Initiative Japan Inc.” that is called “IIJ” for short.
• IIJ is a Japanese ISP (We are the first commercial ISP in
Japan).
• We belong to the CSIRT team (IIJ-SECT) of our company.
• We are malware analysts and forensic investigators.
• We have been past Black Hat Briefing speakers (USA,
Europe and Asia) and Trainers (USA).
4
Copyright Internet Initiative Japan Inc.
Typical Incident Response Flow
5
Interview with a Victim Memory Acquisition with
Triaged Acquisition
Disk Forensics, Malware Analysis
Live Response / Live Forensics
Memory Forensics with
Fast Forensics
Disk Acquisition
Copyright Internet Initiative Japan Inc.
Memory Forensics 101 (1)
• What is Memory Forensics?
• It is a method to analyze memory images of infected computers.
• Why Memory Forensics?
• It is important for analysts to investigate rapidly, to find information such as
which process communicated with malicious hosts, and what kind of programs
were executed on the infected computers.
• The size of memory image is smaller than the disk. Therefore, it takes less time
to acquire and analyze images. We can quickly start to investigate it while
acquiring disk images.
Copyright Internet Initiative Japan Inc. 6

Recommended

Live memory forensics
Live memory forensicsLive memory forensics
Live memory forensicsMehedi Hasan
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 

More Related Content

What's hot

Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryJoe Desimone
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
The Trouble with Cloud Forensics
The Trouble with Cloud ForensicsThe Trouble with Cloud Forensics
The Trouble with Cloud ForensicsSharique Rizvi
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Virtual Machine Forensics
Virtual Machine ForensicsVirtual Machine Forensics
Virtual Machine Forensicsprimeteacher32
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouAnton Chuvakin
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 

What's hot (20)

Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 
The Trouble with Cloud Forensics
The Trouble with Cloud ForensicsThe Trouble with Cloud Forensics
The Trouble with Cloud Forensics
 
Forensic imaging tools
Forensic imaging tools Forensic imaging tools
Forensic imaging tools
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Virtual Machine Forensics
Virtual Machine ForensicsVirtual Machine Forensics
Virtual Machine Forensics
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Tools kali
Tools kaliTools kali
Tools kali
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 

Similar to Super Easy Memory Forensics

Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
H@dfex 2015 malware analysis
H@dfex 2015   malware analysisH@dfex 2015   malware analysis
H@dfex 2015 malware analysisCharles Lim
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E  9  B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E  9  B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Summer project- Jack Fletcher
Summer project- Jack Fletcher Summer project- Jack Fletcher
Summer project- Jack Fletcher Jack Fletcher
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101Mona Arkhipova
 

Similar to Super Easy Memory Forensics (20)

Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario Malicioso
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 
H@dfex 2015 malware analysis
H@dfex 2015   malware analysisH@dfex 2015   malware analysis
H@dfex 2015 malware analysis
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E  9  B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E  9  B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Summer project- Jack Fletcher
Summer project- Jack Fletcher Summer project- Jack Fletcher
Summer project- Jack Fletcher
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavor
 
DracOs Forensic Flavor
DracOs Forensic FlavorDracOs Forensic Flavor
DracOs Forensic Flavor
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101
 

More from IIJ

プロダクトオーナーと開発者が別会社・別組織でも前のめりなチームを生み出す取り組み事例
プロダクトオーナーと開発者が別会社・別組織でも前のめりなチームを生み出す取り組み事例プロダクトオーナーと開発者が別会社・別組織でも前のめりなチームを生み出す取り組み事例
プロダクトオーナーと開発者が別会社・別組織でも前のめりなチームを生み出す取り組み事例IIJ
 
IIJ_デジタルワークプレース事業紹介資料
IIJ_デジタルワークプレース事業紹介資料IIJ_デジタルワークプレース事業紹介資料
IIJ_デジタルワークプレース事業紹介資料IIJ
 
監視 Overview
監視 Overview監視 Overview
監視 OverviewIIJ
 
HTTPを理解する
HTTPを理解するHTTPを理解する
HTTPを理解するIIJ
 
DevOps Overview
DevOps OverviewDevOps Overview
DevOps OverviewIIJ
 
ただいま三河。あれから1年、チームNOCKncokが開発しないスクラムで成果を出した経験から得た学び
ただいま三河。あれから1年、チームNOCKncokが開発しないスクラムで成果を出した経験から得た学びただいま三河。あれから1年、チームNOCKncokが開発しないスクラムで成果を出した経験から得た学び
ただいま三河。あれから1年、チームNOCKncokが開発しないスクラムで成果を出した経験から得た学びIIJ
 
上っ面スクラムチームにならないために気を付けたいこと
上っ面スクラムチームにならないために気を付けたいこと上っ面スクラムチームにならないために気を付けたいこと
上っ面スクラムチームにならないために気を付けたいことIIJ
 
チームみを大切にした 私たちの“受託アジャイル・スクラム”体験談
チームみを大切にした 私たちの“受託アジャイル・スクラム”体験談チームみを大切にした 私たちの“受託アジャイル・スクラム”体験談
チームみを大切にした 私たちの“受託アジャイル・スクラム”体験談IIJ
 
【解説】IKE(IIJ Kubernetes Engine):= Vanilla Kubernetes + 何?
【解説】IKE(IIJ Kubernetes Engine):= Vanilla Kubernetes + 何?【解説】IKE(IIJ Kubernetes Engine):= Vanilla Kubernetes + 何?
【解説】IKE(IIJ Kubernetes Engine):= Vanilla Kubernetes + 何?IIJ
 
コロナ禍での白井データセンターキャンパスの運用施策
コロナ禍での白井データセンターキャンパスの運用施策コロナ禍での白井データセンターキャンパスの運用施策
コロナ禍での白井データセンターキャンパスの運用施策IIJ
 
コロナ禍の開発勉強会~社内教育ツールの開発と実装
コロナ禍の開発勉強会~社内教育ツールの開発と実装コロナ禍の開発勉強会~社内教育ツールの開発と実装
コロナ禍の開発勉強会~社内教育ツールの開発と実装IIJ
 
セキュリティ動向2020
セキュリティ動向2020セキュリティ動向2020
セキュリティ動向2020IIJ
 
バックボーン運用から見るインターネットの実情
バックボーン運用から見るインターネットの実情バックボーン運用から見るインターネットの実情
バックボーン運用から見るインターネットの実情IIJ
 
データセンターのエネルギーコントロールの仕組み
データセンターのエネルギーコントロールの仕組みデータセンターのエネルギーコントロールの仕組み
データセンターのエネルギーコントロールの仕組みIIJ
 
世界のインターネット事情
世界のインターネット事情世界のインターネット事情
世界のインターネット事情IIJ
 
フロントからバックエンドまで - WebAssemblyで広がる可能性
フロントからバックエンドまで - WebAssemblyで広がる可能性フロントからバックエンドまで - WebAssemblyで広がる可能性
フロントからバックエンドまで - WebAssemblyで広がる可能性IIJ
 
あ! やせいのEmotetがあらわれた! ~ IIJ C-SOCサービスの分析ルールについて~
あ! やせいのEmotetがあらわれた! ~ IIJ C-SOCサービスの分析ルールについて~あ! やせいのEmotetがあらわれた! ~ IIJ C-SOCサービスの分析ルールについて~
あ! やせいのEmotetがあらわれた! ~ IIJ C-SOCサービスの分析ルールについて~IIJ
 
インシデント調査システムが内製すぎる件~CHAGEのご紹介~
インシデント調査システムが内製すぎる件~CHAGEのご紹介~インシデント調査システムが内製すぎる件~CHAGEのご紹介~
インシデント調査システムが内製すぎる件~CHAGEのご紹介~IIJ
 
IIJ Technical DAY 2019 ~ IIJのサーバインフラはここまでやっています
IIJ Technical DAY 2019 ~ IIJのサーバインフラはここまでやっていますIIJ Technical DAY 2019 ~ IIJのサーバインフラはここまでやっています
IIJ Technical DAY 2019 ~ IIJのサーバインフラはここまでやっていますIIJ
 
IIJ Technical DAY 2019 ~ セキュリティ動向2019
IIJ Technical DAY 2019 ~ セキュリティ動向2019IIJ Technical DAY 2019 ~ セキュリティ動向2019
IIJ Technical DAY 2019 ~ セキュリティ動向2019IIJ
 

More from IIJ (20)

プロダクトオーナーと開発者が別会社・別組織でも前のめりなチームを生み出す取り組み事例
プロダクトオーナーと開発者が別会社・別組織でも前のめりなチームを生み出す取り組み事例プロダクトオーナーと開発者が別会社・別組織でも前のめりなチームを生み出す取り組み事例
プロダクトオーナーと開発者が別会社・別組織でも前のめりなチームを生み出す取り組み事例
 
IIJ_デジタルワークプレース事業紹介資料
IIJ_デジタルワークプレース事業紹介資料IIJ_デジタルワークプレース事業紹介資料
IIJ_デジタルワークプレース事業紹介資料
 
監視 Overview
監視 Overview監視 Overview
監視 Overview
 
HTTPを理解する
HTTPを理解するHTTPを理解する
HTTPを理解する
 
DevOps Overview
DevOps OverviewDevOps Overview
DevOps Overview
 
ただいま三河。あれから1年、チームNOCKncokが開発しないスクラムで成果を出した経験から得た学び
ただいま三河。あれから1年、チームNOCKncokが開発しないスクラムで成果を出した経験から得た学びただいま三河。あれから1年、チームNOCKncokが開発しないスクラムで成果を出した経験から得た学び
ただいま三河。あれから1年、チームNOCKncokが開発しないスクラムで成果を出した経験から得た学び
 
上っ面スクラムチームにならないために気を付けたいこと
上っ面スクラムチームにならないために気を付けたいこと上っ面スクラムチームにならないために気を付けたいこと
上っ面スクラムチームにならないために気を付けたいこと
 
チームみを大切にした 私たちの“受託アジャイル・スクラム”体験談
チームみを大切にした 私たちの“受託アジャイル・スクラム”体験談チームみを大切にした 私たちの“受託アジャイル・スクラム”体験談
チームみを大切にした 私たちの“受託アジャイル・スクラム”体験談
 
【解説】IKE(IIJ Kubernetes Engine):= Vanilla Kubernetes + 何?
【解説】IKE(IIJ Kubernetes Engine):= Vanilla Kubernetes + 何?【解説】IKE(IIJ Kubernetes Engine):= Vanilla Kubernetes + 何?
【解説】IKE(IIJ Kubernetes Engine):= Vanilla Kubernetes + 何?
 
コロナ禍での白井データセンターキャンパスの運用施策
コロナ禍での白井データセンターキャンパスの運用施策コロナ禍での白井データセンターキャンパスの運用施策
コロナ禍での白井データセンターキャンパスの運用施策
 
コロナ禍の開発勉強会~社内教育ツールの開発と実装
コロナ禍の開発勉強会~社内教育ツールの開発と実装コロナ禍の開発勉強会~社内教育ツールの開発と実装
コロナ禍の開発勉強会~社内教育ツールの開発と実装
 
セキュリティ動向2020
セキュリティ動向2020セキュリティ動向2020
セキュリティ動向2020
 
バックボーン運用から見るインターネットの実情
バックボーン運用から見るインターネットの実情バックボーン運用から見るインターネットの実情
バックボーン運用から見るインターネットの実情
 
データセンターのエネルギーコントロールの仕組み
データセンターのエネルギーコントロールの仕組みデータセンターのエネルギーコントロールの仕組み
データセンターのエネルギーコントロールの仕組み
 
世界のインターネット事情
世界のインターネット事情世界のインターネット事情
世界のインターネット事情
 
フロントからバックエンドまで - WebAssemblyで広がる可能性
フロントからバックエンドまで - WebAssemblyで広がる可能性フロントからバックエンドまで - WebAssemblyで広がる可能性
フロントからバックエンドまで - WebAssemblyで広がる可能性
 
あ! やせいのEmotetがあらわれた! ~ IIJ C-SOCサービスの分析ルールについて~
あ! やせいのEmotetがあらわれた! ~ IIJ C-SOCサービスの分析ルールについて~あ! やせいのEmotetがあらわれた! ~ IIJ C-SOCサービスの分析ルールについて~
あ! やせいのEmotetがあらわれた! ~ IIJ C-SOCサービスの分析ルールについて~
 
インシデント調査システムが内製すぎる件~CHAGEのご紹介~
インシデント調査システムが内製すぎる件~CHAGEのご紹介~インシデント調査システムが内製すぎる件~CHAGEのご紹介~
インシデント調査システムが内製すぎる件~CHAGEのご紹介~
 
IIJ Technical DAY 2019 ~ IIJのサーバインフラはここまでやっています
IIJ Technical DAY 2019 ~ IIJのサーバインフラはここまでやっていますIIJ Technical DAY 2019 ~ IIJのサーバインフラはここまでやっています
IIJ Technical DAY 2019 ~ IIJのサーバインフラはここまでやっています
 
IIJ Technical DAY 2019 ~ セキュリティ動向2019
IIJ Technical DAY 2019 ~ セキュリティ動向2019IIJ Technical DAY 2019 ~ セキュリティ動向2019
IIJ Technical DAY 2019 ~ セキュリティ動向2019
 

Recently uploaded

Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...ssuser7b7f4e
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxRitesh Sahu
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defensethirdeyegen65
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetmatt806068
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionalsthirdeyegen65
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspacesttyk
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfgalfinprihardiputra0
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Damar Juniarto
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....josephiigo
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter TuningVarun Garg
 

Recently uploaded (10)

Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defense
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budget
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspace
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdf
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
 

Super Easy Memory Forensics

  • 1. Super Easy Memory Forensics - You Can "Mount" Memory Images and Analyze them with Explorer and Notepad - Internet Initiative Japan Inc. Hiroshi Suzuki and Hisao Nashiwa
  • 2. About this Document • This document is a part of a commercial training course, named “A Comprehensive Guide to Digital Forensics & Malware Analysis for Practical Incident Response”, held at Black Hat USA. • https://www.blackhat.com/us-22/training/schedule/index.html#a- comprehensive-guide-to-digital-forensics--malware-analysis-for-practical- incident-response-25540 • This course is not for just a memory forensics analysis course. You can learn comprehensive DFIR and malware analysis techniques. Copyright Internet Initiative Japan Inc. 2
  • 4. Who Are We? • Hiroshi Suzuki and Hisao Nashiwa are from “Internet Initiative Japan Inc.” that is called “IIJ” for short. • IIJ is a Japanese ISP (We are the first commercial ISP in Japan). • We belong to the CSIRT team (IIJ-SECT) of our company. • We are malware analysts and forensic investigators. • We have been past Black Hat Briefing speakers (USA, Europe and Asia) and Trainers (USA). 4 Copyright Internet Initiative Japan Inc.
  • 5. Typical Incident Response Flow 5 Interview with a Victim Memory Acquisition with Triaged Acquisition Disk Forensics, Malware Analysis Live Response / Live Forensics Memory Forensics with Fast Forensics Disk Acquisition Copyright Internet Initiative Japan Inc.
  • 6. Memory Forensics 101 (1) • What is Memory Forensics? • It is a method to analyze memory images of infected computers. • Why Memory Forensics? • It is important for analysts to investigate rapidly, to find information such as which process communicated with malicious hosts, and what kind of programs were executed on the infected computers. • The size of memory image is smaller than the disk. Therefore, it takes less time to acquire and analyze images. We can quickly start to investigate it while acquiring disk images. Copyright Internet Initiative Japan Inc. 6
  • 7. Memory Forensics 101 (2) • What is the difference between memory forensics and live response? • Initial investigation of memory forensics is similar to live response. • In addition, we can access code and data without running OSes. Therefore, we are unlikely to be affected by rootkits and anti-analysis techniques. • What is the difference between this analysis and disk forensics? • Since malware decrypts or de-obfuscates its data and its configuration while running on memory, unlike packed files on a disk, we may be able to access the plain data. This is one of the advantages over disk forensics. Copyright Internet Initiative Japan Inc. 7
  • 8. Memory Forensics Tools (1) • Memory Image Acquisition Tools • WinPmem • DumpIt • LeechCore (w/ LeechAgent for remote acquisition) • Triaged Acquisition (Fast Forensic) Tool • KAPE • CDIR Collector • Memory Image Analysis Tools • MemProcFS • Volatility Framework • Rekall (no longer maintained) • Redline (almost abandoned) • WinDbg • SwishDbgExt (third-party WinDbg plugin) • We will mainly use MemProcFS and Volatility Framework version 3 in this course. Copyright Internet Initiative Japan Inc. 8
  • 9. Memory Forensics Tools (2) MemProcFS (1) • It is one of the open-source memory forensics tools. • https://github.com/ufrisk/MemProcFS • You can “mount” a memory image like a disk image. • You can check each process memory space as a file, even each segment on a process memory as a file. • It can handle page files as well. • It can handle memory compression feature on Windows. • This is much faster than Volatility Framework because it is mainly written in C/C++. Copyright Internet Initiative Japan Inc. 9
  • 10. Memory Forensics Tools (3) MemProcFS (2) • It can convert a memory image into Windows crash dump file format virtually. • It can also create a timeline of $MFT, registry hives, process creation dates and so on. • It has a plugin architecture as well. Copyright Internet Initiative Japan Inc. 10
  • 11. Strategies of Memory Forensics Copyright Internet Initiative Japan Inc. 11
  • 12. Strategies • There are three main strategies of memory forensics. • Checking process tree • Investigating TCP/IP communications • Finding RWX sections • We will learn them quickly while performing several exercises before starting CTF-style game. But let me introduce the concept here. Copyright Internet Initiative Japan Inc. 12
  • 13. Strategies of Memory Forensics • Checking process tree • Investigating TCP/IP communications • Finding RWX sections Copyright Internet Initiative Japan Inc. 13
  • 14. Strategies of Memory Forensics Checking Process Tree (1) • Why the process tree is important? • We can often find anomalies in the process tree if malware is executed. For example: • A process you do not normally see on it appears • E.g. strange path, non-existent binary by default… • A process that is not where it should be • In other words, it is a legitimate process but not under a legitimate sub tree chain. • E.g. Orphan process, svchost.exe not under services.exe, IE process not under explorer.exe… • If you are interested in the process tree, check the URLs below. • https://www.sans.org/posters/hunt-evil/ • https://nasbench.medium.com/windows-system- processes-an-overview-for-blue-teams- 42fa7a617920 Copyright Internet Initiative Japan Inc. 14
  • 15. Strategies of Memory Forensics Checking Process Tree (2) • When a program is executed, which parent process will add the process as a child? Copyright Internet Initiative Japan Inc. 15 Action / Persistence Parent Process Note Double-click it from explorer Explorer.exe Choosing it from start-menu Explorer.exe Startup folder Explorer.exe Run key (HKU/HKLM) Explorer.exe Service Services.exe * * If it is an executable file, not a DLL and not a driver. Task Scheduler Svchost.exe -k netsvcs WMI wmiprvse.exe The grand parent process is “svchost -k DcomLaunch”.
  • 16. Strategies of Memory Forensics Checking Process Tree (3) • Like the previous slide, only several processes typically spawn child processes when a program is executed by a user manually or by the OS from an auto-start location. You have to pay attention to them. Copyright Internet Initiative Japan Inc. 16
  • 17. Strategies of Memory Forensics Checking Process Tree (4) • In addition to the child processes of the specific processes we learned previously, you will also need to pay attention to orphan processes, which means processes without any parent processes except for the essential processes such as SYSTEM, csrss.exe and wininit.exe. • But why are orphan processes important? Copyright Internet Initiative Japan Inc. 17
  • 18. Strategies of Memory Forensics Checking Process Tree – Orphan Processes (1) • Why? 1. When a user double-clicks an executable file for example, the process is created as a child process of explorer.exe. 2. If the created process (Malware A) uses a remote code injection technique such as Process Hollowing or Reflective PE Injection, the malware creates a child process (Process B) and injects malicious code into the process. Explorer Malware A Process B (e.g. IE, svchost …) with malicious code 1. Executed by user 2. Create a Process and Inject Malicious Code 18 Copyright Internet Initiative Japan Inc.
  • 19. Strategies of Memory Forensics Checking Process Tree – Orphan Processes (2) 3. The process (Malware A) exits immediately after injecting code into the remote process (Process B). Explorer Malware A Process B (e.g. IE, svchost …) with malicious code 19 Copyright Internet Initiative Japan Inc. 3. Exit this process
  • 20. Strategies of Memory Forensics Checking Process Tree – Orphan Processes (3) • Therefore, the link between Explorer and Process B is broken and the process that malicious code has been injected becomes an orphan. Explorer Orphan Process Process B (e.g. IE, svchost …) with malicious code 20 Copyright Internet Initiative Japan Inc.
  • 21. Strategies of Memory Forensics Checking Process Tree – Summary • We recommend checking the process tree to find suspicious processes in this order. 1. Orphan processes (for PE injection) 2. Child processes of Explorer (for start-up, Run key…) 3. Child processes of svchost.exe (svchost.exe -k netsvcs) (for task scheduler) 4. Child processes of wmiprvse.exe (for WMI) 5. Child processes of services.exe (for services) Copyright Internet Initiative Japan Inc. 21
  • 22. Strategies of Memory Forensics • Checking process tree • Investigating TCP/IP communications • Finding RWX sections Copyright Internet Initiative Japan Inc. 22
  • 23. Strategies of Memory Forensics Investigating TCP/IP communications • You are often able to find evidence by investigating the TCP/IP communication status. For example: • Some sorts of malware, especially RATs, connect to external servers frequently. • If malware has a remote shell, a reverse proxy, or a P2P communication capability, it listens on some ports. Copyright Internet Initiative Japan Inc. 23
  • 24. Strategies of Memory Forensics • Checking process tree • Investigating TCP/IP communications • Finding RWX sections Copyright Internet Initiative Japan Inc. 24
  • 25. Strategies of Memory Forensics Other Anomalies • If code is injected into an existent process, there is no change on the process tree. However, you can still find some anomalies even if you are under the situation by checking particular data such as: • Memory permission (Especially RWX/RX memory regions that do not belong to any modules. E.g. private RWX/RX and mapped memory RWX/RX) • External communications (We have already checked) • Handles (By checking files, registries and mutant values) • Call stacks of threads Copyright Internet Initiative Japan Inc. 25
  • 26. Strategies of Memory Forensics Finding RWX memory sections • Why is it important to check the “RWX” rights in memory? • “RWX” means the memory section is Readable/Writable/Executable. • Legitimate processes (especially Microsoft binaries) do not typically have any “RWX” memory sections. This is because attackers could use “RWX” sections for exploiting, such as arbitrary code execution. • Microsoft tries to eradicate those sections from normal processes, especially from MS Office such as Word and Excel, Internet Explorer and so on. Therefore, if you found this in a legitimate process, a “remote code injection” might have occurred. • There are some exceptions. For example: • We sometimes see legitimate “explorer.exe”, “SearchHost.exe”, “smartscreen.exe”, Outlook, Teams and OneDrive have some “RWX” sections. • We have also seen some kinds of anti-virus software inject such a section into all processes. 26 Copyright Internet Initiative Japan Inc.
  • 27. Practice Exercise Copyright Internet Initiative Japan Inc. 27
  • 28. Practice Exercise: Case 1 • We will learn memory forensics strategies through the investigation of the memory image in case 1. • The memory images included in the VM were acquired from Windows clients infected with malware. • Case 1: Windows 11 21H2 • Case 2: Windows 11 21H2 • Case 3: Windows 11 21H2 • Case 4a: Windows 10 1903 • Case 4b: Windows 10 1903 Copyright Internet Initiative Japan Inc. 28
  • 29. Practice Exercise Preparation (1) • Mount the target memory image with MemProcFS. • Launch a command prompt. • Navigate to the MemProcFS folder. • Mount the memory image and swap files for "case1" with the following commands. Copyright Internet Initiative Japan Inc. 29 cd C:toolsMemProcFS .MemProcFS.exe -device C:Artifactscase1physmem.raw -pagefile0 C:Artifactscase1pagefile.sys -pagefile1 C:Artifactscase1swapfile.sys -forensic 2 Enter this in a single line.
  • 30. Practice Exercise Preparation (2) • Then, you can investigate the memory image by exploring drive M. Copyright Internet Initiative Japan Inc. 30
  • 31. Note for using MemProcFs and Volatility Framework 3 • By the way, for MemProcFs, if you want to mount a memory image on a different drive letter, you can add “-mount” option with a drive letter to the command arguments. • For example, “-mount s” will mount the image on drive “S:”. • One more notice: If you want to analyze different versions of Windows OSes with MemProcFs or Volatility Framework 3, you will need an Internet connection. It is because they rely on Microsoft Symbol server to identify its OS version and several important structure members of the target image. • We have already prepared the symbols of the OS at this time. Copyright Internet Initiative Japan Inc. 31
  • 32. Practice Exercise Process Tree • Process tree is found in the following text files. • M:sysprocproc.txt • M:sysprocproc-v.txt Copyright Internet Initiative Japan Inc. 32
  • 33. Practice Exercise Process Tree - orphan processes • A process that starts with a “-” is an orphan process. Copyright Internet Initiative Japan Inc. 33 Open “proc.txt”. You can get running processes information on the system. You can check parent-child relationships by counting “-” and even orphan processes since it is in the form of a process tree. Here, let’s focus on the explorer subtree first.
  • 34. Practice Exercise Child processes of Explorer (1) • Processes launched: • by a user double-clicking • from the Start menu by a user • from a startup-item or a run key registry entry • will be added to the explorer sub-tree. Copyright Internet Initiative Japan Inc. 34
  • 35. Practice Exercise Child processes of Explorer (2) • You can see the path of the program corresponding to a process, and command-line by checking "proc-v.txt". • Let’s check the processes under the sub-tree. Copyright Internet Initiative Japan Inc. 35 Full path of the program (with a drive letter) (It is not always displayed) command-line of the process (It is not always displayed) Start time End time (if it is already terminated) (this process is still running because it is “***”.) Full path of the program (with a device name) Mandatory level (High is the elevated privilege by UAC.)
  • 36. Practice Exercise Child processes of Explorer (3) • cdir-collector.exe and its child processes (conhost.exe, winpmem_mini_x64_rc2.exe) • cdir-collector is the acquisition tool that we used to acquire the memory image and swap files. It calls winpmem to dump a memory image. Thus, these are not suspicious in this case. • OneDrive.exe • SecurityHealthSystray.exe • These two programs are pre-installed in modern Windows clients. Let’s ignore them first. It is a priority matter. However…, Copyright Internet Initiative Japan Inc. 36
  • 37. Is OneDrive Always Safe? Copyright Internet Initiative Japan Inc. 37 A spiderpig sample performs a DLL side loading attack by putting a malicious DLL into the OneDrive folder of the current user to make OneDrive load it. This is a rare case but you might need to look into it even if a process was a legitimate program. See the detailed report if you are interested in. https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf
  • 38. Practice Exercise Child processes of Explorer (4) • vmtoolsd.exe • It is a component of VMware. Virtual machines running on VMware typically have two vmtoolsd processes. One is running as a service with the SYSTEM privilege, and the other is running as a user process under the explorer sub- tree. We used VMware to create the memory image, so you can ignore this. • browser-up.exe • Is it a common process? Maybe it is malware, or just a legitimate third-party application. Anyway, let's keep it in mind. Copyright Internet Initiative Japan Inc. 38
  • 39. Practice Exercise Child processes of Explorer (5) Copyright Internet Initiative Japan Inc. 39 • By checking proc-v.txt for browser-up.exe, you can confirm the location of the program. It is placed under the startup folder. • The process was executed by localadmin. We can see that it was not elevated to the privilege because the mandatory level was medium. • We found a suspicious process, named browser-up.exe. However, let’s continue checking the process tree. • Next, let’s check the processes under services.exe, which are launched as services.
  • 40. Practice Exercise Other Important Subtrees (1) • Child processes of services.exe • “services.exe” has almost forty child processes. • At a glance, these child processes look Windows components including svchost.exe, which is a service host executable for internal Windows services, or VMware related drivers because of their paths and their names. Of course, they could be forged ones. But it is difficult to distinguish malicious ones by only checking the information here and they are legitimate in most cases. Thus, look for other suspicious processes first. Copyright Internet Initiative Japan Inc. 40
  • 41. Practice Exercise Other Important Subtrees (2) • Child processes of svchost.exe (svchost.exe -k netsvcs) • You can find that PID 372 has this command line by checking proc-v.txt, and there are three child processes of it. • sihost.exe, taskhostw.exe and MicrosoftEdgeUpdate.exe • They also look legitimate Windows components placed in the normal paths so put them aside now. • Child processes of wmiprvse.exe • There are no child processes of wmiprvse.exe in the process tree. Copyright Internet Initiative Japan Inc. 41
  • 42. Practice Exercise Orphan Processes • A process that starts with a single "-" is an orphan process. • System • csrss.exe (x2) • wininit.exe • winlogon.exe • msedgewebview2 • The top four are always orphan while a Windows system is running. The bottom one, msedgewebview2 is a process of Microsoft Edge WebView2 component that is used to embed a web component into native applications such as Widgets, Teams and Outlook. • We confirmed that msedgewebview2 processes that are used for widget applications sometimes become orphan on Windows 11 clients. • Although some kinds of malicious code could have been injected into the msedgewebview2 process, we cannot confirm it since the process has already exited. So, put this aside and move on to the next. • As a result, we found that there are no unnatural orphan processes. Copyright Internet Initiative Japan Inc. 42
  • 43. Practice Exercise Checking Process Tree with Volatility 3 (1) • By the way, with Volatility Framework 3, you can check the process tree by executing the following commands. Copyright Internet Initiative Japan Inc. 43 cd C:Toolsvolatility3 py -3 vol.py -f C:Artifactscase1physmem.raw windows.pstree.PsTree
  • 44. Practice Exercise Checking Process Tree with Volatility 3 (2) • Volatility's PsTree does not show command lines and user names of processes unlike MemProcFS, so you will need to check them with the following commands as well. Copyright Internet Initiative Japan Inc. 44 py -3 vol.py -f C:Artifactscase1physmem.raw windows.cmdline.CmdLine py -3 vol.py -f C:Artifactscase1physmem.raw windows.getsids.GetSIDs
  • 45. Copyright Internet Initiative Japan Inc. 45 py -3 vol.py -f C:Artifactscase1physmem.raw windows.cmdline.CmdLine Unfortunately, we could not get the result. We think the cause of the problem is that Volatility does not support memory compression yet. https://github.com/volatilityfoundation/volatility3/issues/136
  • 46. Copyright Internet Initiative Japan Inc. 46 py -3 vol.py -f C:Artifactscase1physmem.raw windows.getsids.GetSIDs Browser-up.exe was executed by localadmin. The user is a local administrator account because it belongs to Administrators group. However, the process has only medium level. So this process was not elevated by UAC.
  • 47. Copyright Internet Initiative Japan Inc. 47 By the way, you can see the same list on MemProcFS by navigating to the token folder of a process like this.
  • 48. • We found only one uncommon process as a child of Explorer. • The program is placed under the startup folder. • Of course, it can be a legitimate program having persistence. We will check this more detail later. Copyright Internet Initiative Japan Inc. 48 Practice Exercise Checking Process Tree – Result
  • 49. Practice Exercise Netstat • Network status is listed in the following text files. We always use netstat-v.txt because netstat.txt is a subset of it. • M:sysnetnetstat.txt • M:sysnetnetstat-v.txt Copyright Internet Initiative Japan Inc. 49
  • 50. Copyright Internet Initiative Japan Inc. 50 Note that, this may not show all connections. There may be some connections that are missing due to timing of acquisition because closed connections are already removed from the connection table, although MemProcFS can carve the objects as much as it can. The output format is similar to netstat and ss commands.
  • 51. Practice Exercise Netstat - connections • There are six connections to external hosts originated from the suspicious process, browser-up.exe. • Brouse-up.exe seems to be an internet application. If it was malware, the destination hosts would be one of the most significant IoCs. • Googling or searching some other reputation services such as VirusTotal with the destination IP addresses may give you a clue. Copyright Internet Initiative Japan Inc. 51
  • 52. Practice Exercise Netstat - connections • aa Copyright Internet Initiative Japan Inc. 52 By searching the IP addresses on VirusTotal and checking the RELATIONS tab, you can confirm that the IP addresses are related to malware.
  • 53. Practice Exercise Netstat - connections • aa Copyright Internet Initiative Japan Inc. 53 We can also find that some of the malware listed in the previous slide connect to the both IP addresses that we found. Therefore, these two IP addresses must be malicious. If this were a real case, we would regard browser-up.exe process as malware. We would also check if any other hosts in your network accessed them immediately. Even if we did not find any evidences, we could still regard these communications are suspicious because they are not related to any common services. There are not so many destinations that normal programs except for web browsers in enterprise networks connect to. And most of the destinations are related to Microsoft or updater of famous applications.
  • 54. Practice Exercise Netstat - listening ports and applications • Next, let’s check listening ports. There are several common well-known ports (135, 139, 445), CDPSvc(5040) and MS-RPC(49152-65535) on legitimate programs. There seems to be nothing suspicious. • https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and- network-port-requirements Copyright Internet Initiative Japan Inc. 54
  • 55. Windows Listens on Port 5040 by Default • Recent Windows clients listen on TCP port 5040 for CDPSvc (Connected Devices Platform Service) by default. So, we can regard it as a benign service. You can check this by Process Explorer or Process Hacker. • According to this article, it has started in Windows 10 20H2. • https://www.chadduffey.com/2020/11/20H2.html Copyright Internet Initiative Japan Inc. 55
  • 56. Practice Exercise Checking Netstat with Volatility 3 (1) • With Volatility 3, you can check netstat by executing the following command line. Copyright Internet Initiative Japan Inc. 56 py -3 vol.py -f C:Artifactscase1physmem.raw windows.netstat.NetStat
  • 57. Practice Exercise Checking Netstat with Volatility 3 (2) • In addition, Volatility 3's netscan plugin can show carved TCP/IP objects. Copyright Internet Initiative Japan Inc. 57 py -3 vol.py -f C:Artifactscase1physmem.raw windows.netscan.NetScan NetScan plugin uses carving method for searching TCP/IP objects. It can find closed or timeout ones while NetStat plugin cannot. Therefore, we recommend using both.
  • 58. • However, in this case, Volatility's NetScan plugin misses closed connections to external hosts, while NetStat plugin finds a closed connection to an external host. • In general, NetScan finds more results than NetStat, but in this case it did not for some reasons. • Although we also used the Volatility's option "--single-swap-locations" that could parse pagefiles, it resulted in the same as the one without the option. We think Volatility still does not parse pagefiles at least for Windows OSes. • MemProcFS finds five more closed connections to external hosts. We think the cause of the difference between them is that Volatility does not support memory compression yet, in addition to the reason above. • https://github.com/volatilityfoundation/volatility3/issues/136 Copyright Internet Initiative Japan Inc. 58
  • 59. • We found the suspicious connections by the browser-up.exe process to external hosts. • VirusTotal shows that the IP addresses are related to some malware samples. Thus, these also must be malicious communications by the malware. Copyright Internet Initiative Japan Inc. 59 Practice Exercise Netstat - Result
  • 60. • MemProcFS's findevil detects RWX sections in a process and several other factors. • Findevil is kicked after launching MemProcFS with the forensic option or accessing this folder. Thus, you might have to wait for a few minutes before checking the results. Copyright Internet Initiative Japan Inc. 60 Practice Exercise RWX memory sections (1)
  • 61. Copyright Internet Initiative Japan Inc. 61 https://github.com/ufrisk/MemProcFS/wiki/FS_FindEvil There are several types of findevil module results described on its wiki or readme.txt on the findevil folder. We think PE_INJECT, PEB_MASQ, PRIVATE_RWX, PRIVATE_RX, NOIMAGE_RWX, NOIMAGE_RX and PROC_* are important.
  • 62. • aaa Copyright Internet Initiative Japan Inc. 62 Practice Exercise RWX memory sections (3) In this case, several sections of browser-up.exe are labeled as PRIVATE_RWX. It means that the process contains RWX sections in its own memory space. In addition, several other processes are listed, although they are legitimate. Let’s check what the RWX sections on browser-up.exe have.
  • 63. • To check the data of these RWX segments below, let’s go to the vmemd folder under browser-up.exe (PID:5944). • And you can open the following file with a hex viewer. Copyright Internet Initiative Japan Inc. 63 Practice Exercise RWX memory sections (4) The folder for memory segments of PID 5944 This file includes all the data listed above
  • 64. • Note that a segment shown in findevil.txt and a memory region in a vmemd folder is not one-to-one. A memory region in a vmemd folder consists of some segments in one, so we need to find memory regions that contain the target segment. • For example, those four segments above are included in the memory region on the .vvmem file below. Copyright Internet Initiative Japan Inc. 64 The memory region range is 0x7f7000 to 0x7fcefff. Therefore, those segments above belong to this region.
  • 65. • By opening the file with a hex editor, in this case, we used FileInsight, which has already been installed on the VM, you can confirm that the area looks containing a PE image. When PE injection was used, you would see this kind of data in a private memory segment like this. Copyright Internet Initiative Japan Inc. 65 Practice Exercise RWX memory sections (6)
  • 66. • You will also find there are RWX and RX sections in a few processes in this image. However, it is sometimes difficult to determine the purpose of the executable code. Strictly speaking, we would need to check the segments one by one. • However, check the suspicious processes first and put aside processes such as web browsers, “SearchHost.exe”, “smartscreen.exe”, Outlook, Teams and OneDrive ones because we sometimes see them on legitimate PCs for some reasons. For example, they might be legitemately injected by anti-virus software, or might be legitemate JIT compiled code. Copyright Internet Initiative Japan Inc. 66 Practice Exercise RWX memory sections (7)
  • 67. • Let's examine browser-up.exe in detail more. • If you want to apply strings command or Yara to an entire process at once, you can use "minidump.dmp". • This is a similar dump file to a result when using Sysinternals ProcDump. The format is Microsoft Crash Dump. You can analyze it with WinDbg or a product version of IDA Pro. However, here, we will apply strings command. Copyright Internet Initiative Japan Inc. 67 Practice Exercise Important Data in the Suspicious Process (1)
  • 68. • Run the following command line to extract readable strings from the minidump.dmp with a command prompt and Sysinternals strings, which can extract both ASCII and UNICODE strings at once. • The output contains over 500,000 of lines so it is very difficult to check them line by line. • Therefore, use a few REGEX patterns to detect C2 servers and User- Agent strings, which can be effective IoCs. Copyright Internet Initiative Japan Inc. 68 strings -accepteula M:namebrowser-up.exe-5944minidumpminidump.dmp > C:UserstaroDesktopbrowser-up-strings.txt Practice Exercise Important Data in the Suspicious Process (2) Enter this in a single line. Use cmd.exe. DO NOT use Powershell or WindowsTerminal.exe.
  • 69. • For example, we uaually apply the following patterns to suspicious process strings to find C2 servers. • ^s*[a-zA-Z0-9_-]+.[a-zA-Z0-9_-]+(.(?!exe|dll|pdb|inf|sys)([a-zA-Z0-9_-]+))+s*$ • ^s*([a-zA-Z0-9_-]+.)+(?!exe|dll|pdb|inf|sys)([a-zA-Z][a-zA-Z]+)s*$ • ^s*CONNECTs+[a-zA-Z0-9_-]+.[a-zA-Z0-9_-]+(.[a-zA-Z0-9_-]+)+ • ^s*CONNECTs+([a-zA-Z0-9_-]+.)+[a-zA-Z][a-zA-Z]+ • ^s*(GET|POST)?s*https?:// • MSIE • Mozilla • The first four patterns are for FQDNs and IP addresses. The fifth one is for URLs. The bottom two patterns are for User-Agent strings. Malware often contains these kinds of strings. Copyright Internet Initiative Japan Inc. 69 Practice Exercise Important Data in the Suspicious Process (3)
  • 70. GUI REGEX Filter Tool • Glogg • Glogg is a GUI-based grep tool. • The top pane displays original text data. The bottom pane shows the results matched with a REGEX pattern input to the text box in the middle. Copyright Internet Initiative Japan Inc. 70 Original text data Result REGEX form https://glogg.bonnefon.org/
  • 71. • By applying the patterns for URLs and User-Agent strings, you can see the following results. Copyright Internet Initiative Japan Inc. 71 Practice Exercise Important Data in the Suspicious Process (4) We have already found lower two IP addresses in the connection table. However, top one is new! This is the hard-coded user agent of the malware.
  • 72. • Actually, “browser-up.exe” has so many domain names other than the C2 servers. • What are these? Are they suspicious or malicious? • No. Actually, there is a mechanism called “SSL/TLS False Start”, which is a mechanism to enhance the speed of SSL/TLS connections. Web browsers and even WinInet has the mechanism. • https://blog.chromium.org/2011/05/ssl-falsestart-performance-results.html • SSL/TLS False Start Blacklist is the list of domains to which the mechanism is not applied. • If a HTTPS request occurs with the web browsers, or WinInet APIs, the list, which is hard-coded in their binaries, will be loaded into their process memory space. • You can see the list at a certain point in time at the URL below. Copyright Internet Initiative Japan Inc. 72 SSL/TLS False Start Blacklist https://chromium.googlesource.com/chromium/src/net/+/f372faaffd528f 0be7392b2eef85261661190d57/base/ssl_false_start_blacklist.txt
  • 73. • Next, let’s learn how to extract suspicious PE images from a memory region. It is because additional malware is sometimes stored in the middle of a memory region. So far, we found the RWX segments below with findevil. Copyright Internet Initiative Japan Inc. 73 Practice Exercise Extract Embedded PE Images From the Suspicious RWX Area (1) The folder for memory segments of PID 5944 This file includes all the data listed above
  • 74. Practice Exercise Extract Embedded PE Images From the Suspicious RWX Area (2) • You can extract PE images embedded in a memory region with Didier Stevens' script, named pecheck.py. • https://blog.didierstevens.com/2020/03/27/carving-pe-files-with-pecheck-py/ • First, list up the PE images included in the region with the following command lines. • The script shows that an additional 64-bit DLL image is placed after the image that we have already found. Copyright Internet Initiative Japan Inc. 74 cd C:Tools py -2 pecheck.py -l P M:namebrowser-up.exe-5944vmemd0x0000000007f70000.vvmem Use cmd.exe. DO NOT use Powershell or WindowsTerminal.exe.
  • 75. • Then, you can extract the PE images with the following command lines. Copyright Internet Initiative Japan Inc. 75 Practice Exercise Extract Embedded PE Images From the Suspicious RWX Area (3) py -2 pecheck.py -l 1 -g s -D M:namebrowser-up.exe- 5944vmemd0x0000000007f70000.vvmem > C:UserstaroDesktoppe-32-exe.bin py -2 pecheck.py -l 2 -g s -D M:namebrowser-up.exe- 5944vmemd0x0000000007f70000.vvmem > C:UserstaroDesktoppe-64-dll.bin Enter this in a single line. Enter this in a single line. Use cmd.exe. DO NOT use Powershell or WindowsTerminal.exe.
  • 76. • The extracted PE files can be analyzed with your favorite disassembler like this. Copyright Internet Initiative Japan Inc. 76 Practice Exercise Extract Embedded PE Images From the Suspicious RWX Area (4)
  • 77. Practice Exercise Finding RWX Memory Areas with Volatility 3 • Volatility 3 also has a similar plugin to find RWX memory region in a process. However, it does not find the region in browser-up.exe in this case. Copyright Internet Initiative Japan Inc. 77 py -3 vol.py -f C:Artifactscase1physmem.raw windows.malfind.Malfind --pid 5944
  • 78. • You can extract a specified memory region with Volatility 3 by running the following command. • The dumped file is saved in the current directory. • However, in this case, the dumped image does not have data. It might be because the memory region paged-out or was compressed. Copyright Internet Initiative Japan Inc. 78 Practice Exercise Extract Process Memory with Volatility 3 py -3 vol.py -f C:Artifactscase1physmem.raw windows.vadinfo.VadInfo --pid 5944 --address 0x7f70000 --dump Enter this in a single line.
  • 79. Practice Exercise RWX memory sections – Result (1) • The browser-up.exe process has suspicious RWX segments. • Two PE images are embedded in the memory region, which includes the segments above. • This is an evidence of PE injection. Copyright Internet Initiative Japan Inc. 79
  • 80. Practice Exercise RWX memory sections – Result (2) • We have also found three URLs and a hard-coded User-Agent strings in the strings of brouser-up.exe. Those are effective IoCs. Copyright Internet Initiative Japan Inc. 80
  • 81. Practice Exercise RWX memory sections – Result (3) • We could extract the PE images found in the RWX memory region with pecheck.py. We are ready to analyze the images. Copyright Internet Initiative Japan Inc. 81
  • 82. Scripting Language Investigation with Strings in a Process • If you want to analyze a process of scripting language, search welknown functions’ name or language syntax as keywords in it. • For example, PowerShell uses the “Invoke-” prefix such as “Invoke-Command” “Invoke-Expression” and “Invoke-WebRequest” for some functions. • A function starts with “Function FUNCTION_NAME“ as the function definition syntax. • It is because, you could recover decoded script contents or evidence of command execution with parameters even if scripts or logs were already removed from the disk. • In several cases, we have recovered perl and powershell scripts, which attackers had already deleted on the file system, from their process memory spaces. Copyright Internet Initiative Japan Inc. 82
  • 83. Strategies of Memory Forensics • Checking process tree • Investigating TCP/IP communications • Finding RWX sections • Exploring MFT and registry entries • Analyzing persistence artifacts (Registries, Services, Tasks…) Copyright Internet Initiative Japan Inc. 83 Checking these is very useful for finding infection date and attackers’ activities more. After the analysis above, you can check several artifacts more. MFT and registries are most important artifacts if you have a pivot point such as a timestamp or a path.
  • 84. Strategies of Memory Forensics Explorer MFT and Other Items in Timeline Format • MFT is a table for managing metadata of NTFS. It is stored in each NTFS volume. MFT is mapped on memory as well so that you can check file-folder related information such as their size, creation and modification time by parsing MFT entries. • You can also know the first and the last execution time of programs by checking the creation and modification time of prefetch files. • MemProcFS can generate several kinds of timeline including the information above with the forensic option. Copyright Internet Initiative Japan Inc. 84
  • 85. Prefetch Files (1) • Prefetch is a Windows function for diagnosing user behaviors and creating a list of necessary library files to improve application execution performances. • Prefetch files are created in “Prefetch” folder under “Windows”. • Prefetch is not always enabled in some cases. For example, it is disabled on Windows Server hosts by default. It is also disabled when a host is running as a virtual machine in some cases. • Prefetch files are created when the program was executed for the first time. • The .pf files will be updated after each program execution. • They may be deleted automatically in some cases. • E.g. When the number of Prefetch files reached the maximum. Copyright Internet Initiative Japan Inc. 85
  • 86. Prefetch Files (2) • Each Prefetch file stores 8 execution histories for Windows 8 and newer. • 1 execution history is stored on older Windows. • Since Prefetch files are updated every time the program is being executed, file system timestamps of the .pf files may be considered as a program execution history record. • Creation timestamp as the first execution time. • Modification timestamp as the last execution time. • However, note that a Prefetch file is created or modified at the earlier one of: 10 seconds after the program was executed, or the program was terminated. Therefore, there might be a maximum of 10 seconds of difference between the file timestamps and the actual execution time. • Non-existence of Prefetch files does not tell that the program has never been executed. For example, there are cases where .pf files are not generated when the program was executed with SYSTEM privileges. Copyright Internet Initiative Japan Inc. 86
  • 87. • MemProcFS can generate timelines of MFT and other important events. • Here, let's check the timeline for all events. Copyright Internet Initiative Japan Inc. 87 Practice Exercise Exploring MFT Events in Timeline Format (1)
  • 88. • あああ Copyright Internet Initiative Japan Inc. 88 • Note that the latest event appears at the top and the oldest one is at the bottom. • The timeline has almost 300,000 lines, so it is impossible to view the whole timeline line by line. • When examining a timeline, search it for pivot points, which are important information we already know such as infection time and paths to malicious files, and then check the lines around the pivot points. • Let’s apply this to the timeline.
  • 89. Practice Exercise Exploring MFT Events in Timeline Format (3) • First, search the timeline for the suspicious process name that we found as a pivot point. Copyright Internet Initiative Japan Inc. 89
  • 90. Practice Exercise Exploring MFT Events in Timeline Format (4) • Then, you will find the process creation time first. • Of course, it is the same date as the one that we found in proc-v.txt because the line is generated from the process information. Copyright Internet Initiative Japan Inc. 90
  • 91. • Next, you will find the prefetch file modification entry of browser-up.exe. It should be recorded at about 10 seconds later than the process creation event. However, it was recorded 22 seconds earlier than the process creation. It is very weird. • At this moment, there were several other prefetch modification events recorded earlier than their process creation events such as smartscreen.exe and audiodg.exe. Although we are not sure why they occurred, Windows booting process might affect the behavior. • Anyway, you can find many modification entries of prefetch files that were recorded at the same time as browser-up.exe’s one. Although, these could be related to the behavior of browser-up.exe, in this case, we can presume that these modification events indicate that the Windows OS booted up. It is because, as we already know, browser-up.exe is in the startup folder. Copyright Internet Initiative Japan Inc. 91
  • 92. • Next one is the prefetch file creation entry of browser-up.exe. • It is the first execution time of the program. And you can see another prefetch creation entry was recorded at the same time. It is for "BRAVEBROWSERSETUP-VER979.EXE". It might be related to browser- up.exe and it looks also related to a brave browser installer because of the name. Copyright Internet Initiative Japan Inc. 92 Practice Exercise Exploring MFT Events in Timeline Format (6)
  • 93. • Next ones are the file read, creation and modification events of browser- up.exe. • Since the modification time is slightly earlier than the creation time, the program file might have been copied in the same hard disk partition. • When a file in an NTFS volume is copied, its creation and its access timestamps are updated while its modification timestamp is kept. • https://www.kazamiya.net/en/NTFS_Timestamps • These timestamps could indicate around the actual infection time. Copyright Internet Initiative Japan Inc. 93
  • 94. • In addition, you can find the file creation and the modification event of the BraveUpdateSetup.exe. • The executable file might be related to browser-up.exe because it was created at the same time and we also found the similar name around the first execution time of browser-up.exe. Copyright Internet Initiative Japan Inc. 94
  • 95. • Volatility's MFTScan plugin can extract MFT records from a memory image. However, this plugin usually outputs relatively fewer results than MemProcFS. • We think the cause of the difference between them is that Volatility does not handle pagefiles properly and does not support memory compression yet. Copyright Internet Initiative Japan Inc. 95 Practice Exercise Investigating MFT with Volatility 3 set PYTHONIOENCODING=utf-8 py -3 vol.py -f C:Artifactscase1physmem.raw windows.mftscan.MFTScan > C:userstarodesktopcase1-mftscan.txt Enter this in a single line. Use cmd.exe. DO NOT use Powershell or WindowsTerminal.exe.
  • 96. • Volatility 3 can also generate a timeline from several plugins such as MFTScan, PSScan, PSList, NetScan, NetStat, DllList and so on. • However, we could not find browser-up.exe related events other than the process creation in the result due to the same reason as the previous slide. Copyright Internet Initiative Japan Inc. 96 Practice Exercise Exploring Timeline with Volatility 3 set PYTHONIOENCODING=utf-8 py -3 vol.py -f C:Artifactscase1physmem.raw timeliner.Timeliner > C:userstarodesktopcase1-timeliner.txt Enter this in a single line. Use cmd.exe. DO NOT use Powershell or WindowsTerminal.exe.
  • 97. • Let’s summarize the results finally. • We found the creation time of browser-up.exe, and the first and the last execution time of it. • "BraveUpdateSetup.exe" and "BRAVEBROWSERSETUP-VER979.EXE" could be related to browser-up.exe because of their creation timestamps, their names and their execution timing. • Actually, this was a fake Brave browser installer and it resulted in the malware infection. • https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf Copyright Internet Initiative Japan Inc. 97 Practice Exercise Exploring MFT Events – Result
  • 98. • We found the following important information about the malware with MemProcFS. Copyright Internet Initiative Japan Inc. 98 Practice Exercise Conclusion Item Value Process name browser-up.exe Path of the program C:UserslocaladminAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupbrowser-up.exe Persistence mechanism Startup folder (Possible) Infection date 2022-05-06 07:44:06 UTC C2 server 104.168.213.95, 45.117.102.243, 45.77.227.248 User-Agent string Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36 Programs that might be related BRAVEBROWSERSETUP-VER979.EXE, BraveUpdateSetup.exe
  • 99. • Actually, there are two types of malware on memory. • One is selfmake. And another one is spiderpig. • Selfmake is a loader of spiderpig. • This is browser-up.exe. • It accesses 45.77.227.248 to download spiderpig with https protocol. • The spiderpig sample accesses the IP addresses below. • 104.168.213.95, 45.117.102.243 • It is only on memory. You would lose the information if you did not perform memory forensics! • Check the report we formerly mentioned if you are interested in. Copyright Internet Initiative Japan Inc. 99 Practice Exercise Conclusion (2)
  • 100. Tips (1) • You can use Explorer’s search feature to find a path or a content under a certain path. This is very useful for finding a persistence under a registry hive.
  • 101. Tips (2) • Note that, after entering a keyword and starting the search, make sure you check “File contents” option on “Search options”. Otherwise, you will miss the result if you want to search for a keyword included in value data of a registry.
  • 102. Tips (3) • If you want to use complex search conditions, check “Using Advanced Query Syntax Programmatically” out. • https://docs.microsoft.com/en-us/windows/win32/search/-search-3x- advancedquerysyntax Copyright Internet Initiative Japan Inc. 102
  • 103. Tips (4) • You can also map a drive mounted by MemProcFS on WSL like the commands below and search for a keyword with grep command. • The commands will map the drive M to “/mnt/m” on WSL. And search files for “KEYWORD_TO_BE_SEARCHED” under the “/mnt/m/path/to/something” folder. mkdir -p /mnt/m sudo mount -t drvfs "M:" /mnt/m grep -i KEYWORD_TO_BE_SEARCHED -r /mnt/m/path/to/something -s
  • 104. Tips (5) • If a file on MFT is small enough, the file content can be recovered.
  • 105. Commentary of CTF-Style Game Copyright Internet Initiative Japan Inc. 105
  • 106. Finding Evil on Case 2 Copyright Internet Initiative Japan Inc. 106
  • 107. Process Tree (1) • Open “proc” folder under “sys” folder and open “proc.txt”. • You can get running processes information on the system. Copyright Internet Initiative Japan Inc. 107
  • 108. Process Tree (2) • When you check the process tree, you will find onedrivecli.exe on the explorer subtree. • At a glance, it looks a legitimate process because of the name. However, it is not a common process name. • The legitimate OneDrive process is “OneDrive.exe”. Is it a CLI version of OneDrive? It is weird. • It spawns a command prompt as well. • Therefore, you should check this carefully. Copyright Internet Initiative Japan Inc. 108
  • 109. Copyright Internet Initiative Japan Inc. 109 If you check “proc-v.txt”, you will find the suspicious process is in “Windows” folder even though it seems a part of OneDrive. The legitimate OneDrive is in “OneDrive” folder. It is actually different from the path associated with OneDrive files. It is a little bit weird.
  • 110. How to Check TCP/IP Communications (1) Copyright Internet Initiative Japan Inc. 110 Next, check TCP/IP communications. Open netstat-v.txt.
  • 111. Copyright Internet Initiative Japan Inc. 111 The suspicious process had three connections. If you search the google for this IP address, you will find the report below. It was used for gh0sttimes’ C2 Server. Therefore, this process must be malware. https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html
  • 112. Copyright Internet Initiative Japan Inc. 112 If you search for “onedrivecli” under HKUlocaladmin, you will find the persistence of it in run key. The reason why we decided to check under the registry is that the malicious process was run with the user’s access rights.
  • 113. Copyright Internet Initiative Japan Inc. 113 If you search for malicious domain names with the REGEX pattern above, you will easily find it on the strings of the malicious process. strings M:nameonedrivecli.ex-6108minidumpminidump.dmp > %USERPROFILE%Desktoponedrivecli.ex-6108-string.txt
  • 114. Copyright Internet Initiative Japan Inc. 114 If you search for executables with “.exe”, you will find a part of the result of the dir command as above. And you will also find the full path to the files as below. Although they are already deleted, you can still find the evidence on the strings.
  • 115. Copyright Internet Initiative Japan Inc. 115 If you search timeline_all.txt or timeline_ntfs.txt for “onedrivecli”, you will easily find the file creation time. The date would be close to the infection date if you were in a real case.
  • 116. Copyright Internet Initiative Japan Inc. 116 If you search timeline_all.txt for “sdelete”, you will easily find two evidences of sdelete64.exe’s execution. One is the prefetch file. Another one is the registry key. A Sysinternals utility creates its own key when it is executed for the first time.
  • 117. Finding Evil on Case 3 Copyright Internet Initiative Japan Inc. 117
  • 118. Process Tree (1) • Open “proc” folder under “sys” folder and open “proc.txt”. • A process that starts with a single “-” is an orphan process. • Since “System” is always an orphan, ignore them first. Copyright Internet Initiative Japan Inc. 118
  • 119. Process Tree (2) • When you check the process tree, you will find an orphan svchost.exe. • PID: 2884 • It should be spawned by services.exe, if it were a legitimate one. Therefore, the orphan svchost process is suspicious.
  • 120. FindEvil • After the forensic option is completed, you will see the content of findevil.txt. If you open it, … (Next slide) Copyright Internet Initiative Japan Inc. 120
  • 121. FindEvil Copyright Internet Initiative Japan Inc. 121 You will find that httpsX64_d.dll module was injected into the svchost process. Actually, it is not on MFT. The attacker must have been injected the malicious PE image by decoding it only on memory. In addition, the process has several RWX segments.
  • 122. How to Check TCP/IP Communications (1) Copyright Internet Initiative Japan Inc. 122 You will find TCP/IP communications in “sysnet” folder. At this time, let’s open netstat-v.txt.
  • 123. Scenario 3 Labs (2) Copyright Internet Initiative Japan Inc. 123 You will find that the malicious svchost process had connected to a unknown external host, 8.208.14.5. Therefore, this should be a malicious IP address. You can also confirm that the other IP addresses listed as destinations of TCP/IP connections are used for Microsoft's services. So they should be legitimate.
  • 124. Examine Strings in the Malicious svchost Process Copyright Internet Initiative Japan Inc. 124 • You can extract both ASCII and Unicode strings from the process memory space with the following command line. • Then, you can find a suspicious URL by applying one of the filters we mentioned before. This should be the malicious URL. strings M:namesvchost.exe-2884minidumpminidump.dmp > %USERPROFILE%Desktopsvchost-2884.txt
  • 125. Finding Embedded PE images Copyright Internet Initiative Japan Inc. 125 • You can find two embedded PE images by parsing the vvmem files of the memory regions that are labeled as Private RWX by findevil. cd C:Tools py -2 pecheck.py -l P M:namesvchost.exe-2884vmemd0x0000000180000000.vvmem cd C:Tools py -2 pecheck.py -l P M:namesvchost.exe-2884vmemd0x000002b6c6660000.vvmem
  • 126. Copyright Internet Initiative Japan Inc. 126
  • 127. Copyright Internet Initiative Japan Inc. 127
  • 128. Finding Files Related to the Malicious Svchost Process (1) Copyright Internet Initiative Japan Inc. 128 • The svchost process, which httpsX64_d.dll was injected into, must be spawned by another malicious process. And the malicious process should have started right before the svchost process started. • Finding the prefetch file of the malicious svchost process may provide a clue. • However, there are so many prefetch files for svchost.exe on the system because it is a program to host Windows services and it has multiple instances. • How should we do to identify it?
  • 129. Finding Files Related to the Malicious Svchost Process (2) Copyright Internet Initiative Japan Inc. 129 • When you check proc-v.txt, you will find the malicious svchost process was launched without any arguments. • It is not common usage of svchost.exe. It should be used with a few arguments, at least a service name, such as "-k netsvcs -p" and "-k LocalServiceNetworkRestricted -p" because it is a service host for Windows services. • Therefore, we could distinguish the malicious one from legitimate ones.
  • 130. Finding Files Related to the Malicious Svchost Process (3) Copyright Internet Initiative Japan Inc. 130 • In order to create the prefetch file of svchost without arguments, execute the command on your VM as below. • Now you got the file name! It is “SVCHOST.EXE-2823DB96.pf”.
  • 131. Finding Files Related to the Malicious Svchost Process (4) Copyright Internet Initiative Japan Inc. 131 • Note that you will need to input the full path of it and the string needs to be case-sensitive to recreate. And do not use a PowerShell console or a Windows Terminal since they will create a different hash value. • You will also need to execute it on the Windows OS that has the same partition layout as the victim’s one because of the hash algorithm of Prefetch. • And you will also need to use Windows 7 or later to recreate it. • If you are interested in the hash algorithm, check the URL below. • https://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a- hash-lookup-table-xpvistaw7w2k3w2k8/
  • 132. Finding Files Related to the Malicious Svchost Process (5) Copyright Internet Initiative Japan Inc. 132 • Next, search timeline_all.txt for the name of the prefetch file, "SVCHOST.EXE-2823DB96.pf“ to look into the activities around that time.
  • 133. Finding Files Related to the Malicious Svchost Process (6) Copyright Internet Initiative Japan Inc. 133 • The first result is the file modification entry of the prefetch file. However, you will see many prefetch files were modified at the same time. It seems they were recorded while the Windows OS boots up. So, it is difficult to find a clue unfortunately. But you can still find the parent process of the malicious svchost might have a persistence mechanism because it survived rebooting.
  • 134. Finding Files Related to the Malicious Svchost Process (6) Copyright Internet Initiative Japan Inc. 134 • The next one is the file creation entry of the prefetch file. It should be around the first execution time of the malicious svchost process. • Near the file creation, you can also find that VBOXDTRACE.EXE, which looks a VirtualBox-related program, was also executed for the first time because of the prefetch file creation. The timestamp was 10 seconds before the malicious svchost’s prefetch file creation time. • Since the malicious svchost.exe kept running on the system after this moment, the prefetch file should have been created 10 seconds after its actual execution time. Therefore, it is possible that vboxdtrace.exe and the malicious svchost were executed almost at the same time.
  • 135. ??? VBoxDTrace.exe svchost with a malicious PE (httpsX64_d.dll) 135 Copyright Internet Initiative Japan Inc. Kept running Started at 2022-05-29 11:19:1707? Started at 2022-05-29 11:19:07 Assumption:
  • 136. ??? VBoxDTrace.exe svchost with a malicious PE (httpsX64_d.dll) 136 Copyright Internet Initiative Japan Inc. Exited right after injecting a PE image Kept running Created svchost and injected a PE Started at 2022-05-29 11:19:1707? Started at 2022-05-29 11:19:07 Assumption: If vboxdtrace.exe used reflective PE injection technique, it could happen. It is because vboxdtrace.exe should have exited right after injecting a malicious PE image into the svchost process. Then the vboxdtrace.exe's prefetch file must have been created at the same time of the execution time. On the other hand, as we mentioned, the svchost process kept running and the prefetch file should have been created 10 seconds after the execution.
  • 137. Finding Files Related to the Malicious Svchost Process (6) Copyright Internet Initiative Japan Inc. 137 • The first one is the file modification entry for the prefetch file. However, a lot of prefetch files were modified at the same time. It seems to be Windows booting, so it is difficult to find a clue unfortunately. • You will also find several files under the VirtualBox folder, which might also be related to VBoxDTrace.exe because of the file and the folder name, around the prefetch files recorded. • Let’s check the details more.
  • 138. Finding Files Related to the Malicious Svchost Process (11) Copyright Internet Initiative Japan Inc. 138 • Actually, you can find that VBoxDTrace.exe is also placed in the same folder as the files that we mentioned in the previous slide. A .exe file, a .dll file and a unknown binary file are a typical layout of the DLL side loading attack. Actually, VBoxTrace.exe is a legitimate file, but VBoxRT.dll is a malicious dll. It is loaded by VBoxTrace.exe. It decrypts a payload in wpn.svr and injects into svchost created by itself. So you can presume the attacker also might have used the technique as well for an Autoruns evasion.
  • 139. Finding Files Related to the Malicious Svchost Process (12) Copyright Internet Initiative Japan Inc. 139 • If you were responding to the real incident, you should get the files and perform dynamic malware analysis to confirm the behavior such as a svchost process creation, injecting a PE image into svchost, and accessing to the malicious server. • In this case, VBoxDTrace.exe and the files in the same folder are related to the malicious svchost process.
  • 140. Finding Files Related to the Malicious Svchost Process (6) Copyright Internet Initiative Japan Inc. 140 • The first one is the file modification entry for the prefetch file. However, a lot of prefetch files were modified at the same time. It seems to be Windows booting, so it is difficult to find a clue unfortunately. • In addition, you can also find a service entry named "WpnServec“ on the HKLMSYSTEM registry hive was modified at the same time as the first execution time of VBOXDTRACE.EXE. • “WpnServec” service might have been created at the moment. • Note that registry modification event will be occurred when a service is created since registry hives only have modification time for each key. • Therefore, you should check the services next.
  • 141. Finding Files Related to the Malicious Svchost Process (14) Copyright Internet Initiative Japan Inc. 141 • Services.txt shows service entries in the registry. • Let's search it for the service name that we found in the previous slide.
  • 142. Finding Files Related to the Malicious Svchost Process (15) Copyright Internet Initiative Japan Inc. 142 • Then, you can find the persistence entry of the malware.
  • 143. Memory Forensics with Swap Files Copyright Internet Initiative Japan Inc. 143
  • 144. Memory Forensics with Swap Files (1) • As we mentioned earlier, MemProcFS has an amazing feature. • It can load swap files! You can load them like this. • This would be very useful if reflective PE injection techniques were used. • The PE header of a loaded PE image with the technique will be paged out because it will never be referred after the PE is loaded. Copyright Internet Initiative Japan Inc. 144 .MemProcFS.exe -device PhysicalMemory -pagefile0 pagefile.sys -pagefile1 swapfile.sys Pagefile.sys is used for native apps and the OS. Swapfile.sys is used for UWP apps.
  • 145. Copyright Internet Initiative Japan Inc. 145 The left example figure shows us a result without swap files. The right figure shows us a result with the files. Although I used the same memory image for both, we can find that many DLLs are injected into lsass process on the right while we cannot see any injected DLLs on the left.
  • 146. Memory Forensics with Swap Files (3) • To acquire swap files, use KAPE, TSK and other acquisition tools that can acquire locked files. • Note that esentutl cannot get them because they are out of scope of the VSS. • And I also pull-requested to the developer of the CDIR Collector to acquire them with it. • However, they have not taken the request yet. We need to wait for a while… • I released the compiled binary in my github account below, although the executable file does not have code-sign. • https://github.com/herosi/CDIR/ Copyright Internet Initiative Japan Inc. 146
  • 147. Wrap up - Memory Forensics Copyright Internet Initiative Japan Inc. 147
  • 148. What We Lesson Learned in Memory Forensics (1) • There are several important strategies for an initial investigation of memory forensics. • Checking process tree • Investigating TCP/IP communications • Finding RWX sections • We found that MemProcFS can show us: • Process tree • TCP/IP communications • Registry hives • $MFT • Suspicious modules and memory regions • … Copyright Internet Initiative Japan Inc. 148
  • 149. What We Lesson Learned in Memory Forensics (2) • We found that MemProcFS can handle: • Contents of memory images as files and folders by mounting them • Swap files • CompressedMemory • We found that a memory image with swap files could solve a problem when a reflective PE injection is used. • And other page-out related problems with that, of course. Copyright Internet Initiative Japan Inc. 149
  • 150. Strategies of Memory Fast Forensics Checking Auto Start Entries with Several Important OS Artifacts • We would perform persistence analysis with the top priority if we were investigating disk images. However, we cannot use tools such as Autoruns for memory. Although there are registry hives on memory, we can access only some parts of them due to paged out, mapped files or acquisition timing. • Therefore, we should get several important OS artifacts such as registry hives and WMI related files on a disk at the same time when acquiring a memory image. And check them with dedicated tools for them such as Registry Explorer. That is why we recommend using a triaged acquisition tool such as KAPE and CDIR-Collector at the same time when acquiring a memory image for the first step. • We also recommend acquiring swap files as well because of the first paragraph above. Copyright Internet Initiative Japan Inc. 150
  • 151. Thank you @herosi_t, @unk0unk0 Special Thanks to Ulf Frisk (@UlfFrisk)